Tor

Tor is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read this.) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)

Tor network speed improves when there are more volunteers to run relays (and relays have better anonymity), bridges, and exit nodes. Please consider being a relay or bridge node if your ISP does not filter Tor and you have good bandwidth. Additonally please consider configuring your relay as an exit node (if you are in a favorable network and don't mind a little bit of potential hassle for being an exit node).

Note: Due to recent attacks on the Tor network, it is worthwhile to install the most current version of Tor. See this section.

Note: Attack vectors to defeat Tor anonymity have been described. See here and here.

Install Tor (Network privacy)

Install Tor by following the instructions here. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the Tor installation guide for details. In general:

Tor can be run in its default configuration from the command-line (or from a menu item with the "Advanced -> Run in terminal" box ticked):

tor

A separate menu item can be created to reliably shut down Tor:

sudo killall tor

By default Tor listens for Socks5 traffic on port 9050. (Socks5 proxies are able to tunnel both UDP and HTTP traffic through them.) In general, applications (including other daisy-chained proxies) should be configured to use Tor as a Socks5 proxy on port 9050.

I don't like Tor to automatically start at boot, so I edit the /etc/tor/torrc configuration file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/tor/torrc

and change the line so it looks like:

#RunAsDaemon 1
RunAsDaemon 0

then restart Tor:

sudo /etc/init.d/tor restart

or

sudo service tor restart

I also like to make sure Tor doesn't start at bootup using Bootup Manager:

sudo apt-get install bum

Run Bootup Manager:

sudo bum

Make sure Tor doesn't start at bootup:

tor (unticked) -> Apply -> Yes

Using Tor with Firefox

Tor acts as a Socks5 proxy on port 9050. Recent versions of Firefox allow direction of all traffic, including DNS resolution, through a Socks5 proxy. To enable this behaviour (after starting and running a previously installed version of Tor):

Tor Browser Bundle

The Tor Browser Bundle (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) provides greater functionality and security than the stock Firefox version with the standalone Torbutton. Install from here the version for your language and unpack it. For example:

Then change to the extracted directory and start the Tor Browser Bundle:

cd tor-browser_en-US
./start-tor-browser

A menu item can also be created with the command to start it.

Torbutton (Firefox plug-in)

Once the Tor Browser Bundle is installed and Tor is running properly, Torbutton allows you to choose whether to use Firefox through the Tor anonymizing network or not. Updates to Torbutton can be installed using the .xpi extension found directly from the website.

As of 2012, Torbutton only works with modified versions of Firefox found in the Tor Project's Tor Browser Bundle (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) or with some older (non-updated) versions of Firefox.

Newer versions of Firefox may refuse to start when Torbutton is installed. If this occurs, Firefox must be started in safe mode:

firefox -safe-mode

Be sure to select "Start in Safe Mode" instead of "Reset Firefox" (unless you want to erase all your configuration settings and erase all your extensions/add-ons/plug-ins). Once in Safe Mode, the Torbutton extension can be disabled or removed (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Remove) and Firefox set to use "No proxy" in the Firefox Network settings:

The standalone Torbutton add-on for Firefox disables many functions of Firefox (when used with older unmodified versions of Firefox), such as the Drag and Drop function. It must therefore be disabled (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Disable) while using many of these Firefox functions.

Using Thunderbird with Tor

Tor acts as a Socks5 proxy on port 9050. Recent versions of Thunderbird allow direction of all traffic, including DNS resolution, through a Socks5 proxy. To enable this behaviour (after starting and running a previously installed version of Tor):

Note: To ensure absolute privacy of the location of your email client, an email account should be set up only through Tor (the first time) and should NEVER be accessed without tunneling through Tor.

TorBirdy (Thunderbird plug-in)

TorBirdy is an "experimental" Thunderbird email client add-on to allow older versions of Thunderbird to use the Tor network. (Also see the Tor website for more info.) It will not be able to be installed if you have recent versions of Thunderbird / Firefox. Install:

Note: Many services block FTP through Tor using Filezilla or any client that uses a separate communication channel and data channel. This is because the data channel and communications channel must be from the same IP address for these services, which doesn't occur using an FTP client through Tor. For such providers, use a browser-based FTP method instead.

Using Rekonq/Konqueror/Dolphin with Tor

KDE services that access that Internet, such as Rekonq, Konqueror, or the Dolphin File Manager, can be made to use Tor by setting the systemwide KDE "Network Settings" to use the Tor proxy. (All three programs share the same KDE Network Settings).

Using Konversation with Tor

Konversation is an Internet Relay Chat client similar to mIRC. Unfortunately, without Tor your IP address is easily determined while using an IRC client. Konversation directly allows the use of a Socks5 proxy. If running Tor on port 9050, configure Konversation to use the Socks5 proxy on port 9050:

Pidgin

The Internet Messaging client Pidgin can be used with Tor using the Off-the-Record messaging system. Install the plugin:

sudo apt-get install pidgin-otr

XChat

The Internet Relay Client XChat can be used with Tor using the Off-the-Record messaging system. Install the plugin:

sudo apt-get install xchat-otr

Using Tor with Dropbox

Tor acts as a Socks5 proxy on port 9050. Recent versions of Dropbox allow direction of all traffic, including DNS resolution, through a Socks5 proxy. To enable this behaviour (after starting and running a previously installed version of Tor):

The transfer of multiple large files through Tor is discouraged as it slows down the Tor network.

Using proxies with Tor

usewithtor

If you installed a recent version of Tor from the repositories, you will have installed the "usewithtor" package. A number of applications can be automatically redirected to the Torsocks proxy (torsocks) with this utility:

usewithtor myapplication

A menu item with such a command can then be created.

By using torsocks, usewithtor will also block an application from sending UDP traffic (which is not anonymized by the Tor network).

Applications that you wish to "usewithtor" (with torsocks) or "torify" (with tsocks) should use port 8118 for the http proxy port and port 9050 for the socks port.

torify

Another method is to "torify" an application with a different tor socks proxy (tsocks) if tsocks has been configured (edit /etc/tor/tor-tsocks.conf).

torify myapplication

tsocks does not explictly block UDP traffic, so if it is desirable to allow UDP traffic while anonymizing ftp traffic, use this method.

Privoxy

I use the Privoxy proxy to tunnel http traffic through Tor. Install the Privoxy http proxy:

sudo apt-get install privoxy

Applications can be set to send their http traffic to Privoxy over port 8118; Privoxy will then in turn forward the http traffic to Tor over port 9050. (Use an IP address other than 127.0.0.1 if Privoxy and/or Tor are not on the local machine. Use localhost instead of 127.0.0.1 if using IPv6 addressing on your systems).

Note: For some older versions of Privoxy, users have reported better success designating the address of the host computer as 127.0.0.1 instead of localhost in the configuration settings.

Edit configuration files.

In the configuration file Privoxy is configured by default to listen on port 127.0.0.1:8118. See Firewall considerations. Edit the Privoxy configuration file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/privoxy/config

Add the lines

forward-socks5 / 127.0.0.1:9050 .
forward-socks4a / 127.0.0.1:9050 .

Note: socks5 allows more authentication choices, UDP for external DNS resolution, and accommodates IPv6. (By including both lines, socks4a is used as a fallback if a program does not support socks5.)

Restart Privoxy:

sudo /etc/init.d/privoxy restart

or

sudo service privoxy restart

Other proxies

Other proxies such as socat, Polipo can also be used with Tor instead or Privoxy. Squid can also be daisy-chained to one of the proxies.

Ensuring applications use the proxy

See this advice. (Note: this is labeled as "old advice.") In (K)Ubuntu, the bash configuration files are at ~/.profile (i.e. /home/user/.profile) for the current user or at /etc/profile for system-wide usage. Using this advice, edit one of those two files and add the lines at the end of the file:

Using specific applications with Tor

Other applications may allow for the http proxy and the chainloaded socks services of Tor to be used independently (in parallel). Once Tor (and the relevant proxy or proxies) are running, the http proxy 127.0.0.1:8118 and the socks proxy 127.0.0.1:9050 can be specified in the configuration settings of an application that allows for this.

Tor GUIs

It is not necessary to use a GUI with Tor.

If you will use Tor with a GUI interface (such as Vidalia or TorK), however, edit the Tor configuration file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/tor/torrc

Add the line so that the GUI interface can control Tor over port 9051:

ControlPort 9051

Note: There is some concern that allowing control of Tor over port 9051 is not secure. If you will not be using a GUI, this step is not advised.

Vidalia (Tor interface)

Vidalia is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:

sudo apt-get install vidalia

Tork (KDE Tor interface)

TorK is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories (as of Natty 11.04). However, if desired it can still be installed (along with the required older Qt3 libraries) by adding the Maverick repository (directly or using a package manager):

deb http://ubuntu.mirror.cambrium.nl/ubuntu/ maverick main universe

Installing TorK also will install privoxy and unless you have also added the Tor repository directly, will also install an older version of Tor from the Ubuntu universe repositories. See these installation tips. Install:

sudo apt-get install tork privoxy

Run TorK (K menu -> Internet -> TorK Anonymity Manager) for the first time using the First Run Wizard (TorK -> Tools -> First Run Wizard).

"No, tor is going to run on this PC" then "I have to start Tor manually" then "Run A Tor client with default settings" then "I want to use Privoxy..." then "Privoxy starts in the background when my computer boots up" then go through the remaining options.

I then start ("Play") TorK as a Client. I happen to like Konqueror for Anonymous browsing, since it worked the first time for me without a problem. I keep Firefox for non-Tor browsing (so I don't have to change any of its settings) or install Torbutton (see below). You may have to fiddle with your Network proxy settings in Konqueror or Firefox (if things don't work the way you expect them to).

Allow the Firewall (like Firestarter) to allow ports 8118, 9050, 9051, or just turn off the firewall completely, until everything is working. Then turn the firewall back on. (You should monitor your firewall carefully. TorK has settings to automatically turn it off, if you aren't careful.) No ports are required to be left open in the firewall for Tor to work, as all traffic will be directed through the socks port 9050 (which avoids the firewall).

Applications that you wish to "torify" (with tsocks) or "usewithtor" (with torsocks) should use port 8118 (i.e. 127.0.0.1:8118) for the http proxy and port 9050 (127.0.0.1:9050) for the socks port.

Once configured as a client successfully, if you have the bandwidth and a stable environment please enable the client/relay mode and/or server mode so that the Tor bandwidth is increased.

Note: Tork constantly monitors the network (both Tor and non-Tor traffic). This can cause slowing of the Tor traffic from your computer and even cause intermittent interruptions. (Tor runs in the background and does not require Tork to be running as a control module.) If Tor is running in a stable mode, it will be faster (and less problematic) to stop Tork (sudo killall tork) and allow Tor to run in the background.

Note: Traffic that is routed through Privoxy (and then presumably to Tor from Privoxy if configured correctly) will be logged as "non-Tor" traffic by Tork. As long as Privoxy is working correctly, however, this traffic is being forwarded through the Tor socket.

Tork does not start Privoxy properly. Privoxy must be started (prior to starting Tork) as a startup program (e.g. using the Bootup-Manager) or manually with the command:

sudo /etc/init.d/privoxy start

or

sudo service privoxy start

Prevent autostart of proxies and Tor

Whenever I stopped the TorK GUI and then later wanted to start it again, I had to manually kill the Privoxy and Tor processes first.

sudo killall privoxy
sudo killall tor

Further, Tor, Privoxy, and Polipo install themselves as automatically started services at bootup. Preventing automatic startup (at boot) of Tor and Privoxy (and/or Polipo) can be accomplished by one of the methods in this Ubuntu Forums thread. Personally, I like using Bootup-Manager:

which will also stop updates from re-installing the applications as startup services when updates are made.

If Privoxy is stopped, it must be re-started with the Bootup-Manager or using the command:

sudo /etc/init.d/privoxy start

or

sudo service privoxy start

Firewall considerations

Single computer

If you have the Tor client, the proxy client (Privoxy, Polipo, or socat), and the browser client (or other application) on the same computer, you do not need to have any open ports in order to use Tor. In such a circumstance it is safest to block all ports that connect to the Internet. The socks proxy bypasses the firewall entirely (so there is no need to leave any ports open in order for it to communicate).

By closing all ports (using a firewall), applications will be prevented from bypassing Tor (accidentally or unknowingly). Later, if you wish to have some of your traffic directed through Tor and some of your traffic traffic routed outside of Tor, you can open the ports for the traffic that will not go through Tor.

Proxy on LAN

If the proxy (Privoxy, Polipo, socat, etc.) on your LAN is on a computer different from the computer(s) that have the end-user client applications, it is best to open the port (e.g. 8118) for communication only between computers on the LAN (with the end-application clients on them) and the computer on the LAN with the proxy on it. Port 8118 should then not be open to the Internet but only to the computers on the LAN that will use the proxy.

If the Proxy and Tor client are on different computers as well, port 9050 should be open (on the LAN, not on the Internet) between the computer with the Proxy and the computer with the Tor client only, so that the Proxy can forward traffic to the Tor client (but not to the Internet). (Obviously, if the Proxy and the Tor client are on the same computer, there is no need to open the 9050 port at all.)

Blocking all non-Tor traffic using iptables

To ensure that no unprotected traffic "leaks" from applications without your knowledge, it is possible to configure your firewall iptables to prevent all traffic except that which is transmitted through Tor.

Tor network initialization

It may be necessary to open port 443 (or less desirably port 80) to allow resolution of the nodes of the Tor network. Consider using DNS privacy methods.

Troubleshooting

Upgrading to Tor 0.2.4

In 2013 a botnet appears to have started to operate on Tor using the v0.2.3 client (with speculations about both the USA's FBI and NSA involvement). This slowed the Tor network by increasing handshakes between relay nodes. See this info. In addition, DDoS attacks in 2014 exploit vulnerabilities in Tor versions < 0.2.4.18-rc. See this info. For these reasons it is best to use a recent version of Tor.

In the past, it was suggested by some users that the v.0.2.2 client (which is still available in the (K)Ubuntu repositories) was not vulnerable to the 2013 botnet. This has not been verified nor does it seem immune to recent attacks.

Router speed

Although applicable to p2p traffic, this information is generically applicable to Tor as well.

Some routers (including a certain version of the Linksys WRT54G) slow down when the incoming/outgoing connection log (cache) becomes full (which can happen with many Tor or P2P connections). Disable the Log if this problem occurs.

An uncommonly recognized problem (with some routers, such as the WRT54G, with heavy traffic flow on startup) is that of a connection storm. The fix is not trivial and may require using custom firmware and/or working with the iptables firewall. See this info.

Other resources

Obfsproxy is a proxy to transform data between a client and a Bridge node into innocent looking data, in order to circumvent Deep Packet Inspection (DPI) censorship. See the Debian/(K)Ubuntu instructions.

OnionCat is a VPN adapter/service that transmits IP-based data transparently through the Tor network on a location hidden basis. (Also see this.) A Launchpad repository is here.

Tails is a free, complete GNOME-based Debian Linux operating system with Tor enabled by default. Iceweasel (the free Debian version of Firefox) and other Internet tools are cryptographically-enhanced, and, for privacy, browsing and other Internet usage traces are minimised. Components include LUKS for disk-encryption, Nautilus Wipe for erasing disk traces using the Nautilus file manager, KeePassX for password generation and encyrypted password storage, the Firefox plug-in HTTPS Everywhere to ensure the usage of encrypted website portals, and Off-the-Record_Messaging for Internet Message encryption, among others.

Free webhost reviews -- any online storage site must be assumed to be insecure, so these should always be accessed through Tor and never used for private files. A popular method is to sign up for a webhost account (through Tor) using an anonymous email account (also created using Tor) then subsequently to use Filezilla with Tor to securely transfer files to the webhost. See this article if interested in using the webhost as a webseed for BitTorrent. Because many free webhost providers are insecure, you may wish to consider accessing the free webhost within a quarantined virtual machine and access the webhost only through Tor (such as with Filezilla with Tor).

Here are some moderated lists of Tor hidden services from the Deep Web Wiki (primarily accessible with Tor running and enabled as a proxy):